1 From

     2 http://git.php.net/?p=php-src.git;a=commitdiff;h=7d163e8a0880ae8af2dd869071393e5dc07ef271

     3 truncate results at depth of 255 to prevent corruption

     4 

     5 --- php-5.2.17/ext/xml/xml.c_orig	2010-11-03 07:18:28.000000000 -0700

     6 +++ php-5.2.17/ext/xml/xml.c	2013-07-12 08:31:01.397237583 -0700

     7 @@ -322,7 +322,7 @@

     8  	}

     9  	if (parser->ltags) {

    10  		int inx;

    11 -		for (inx = 0; inx < parser->level; inx++)

    12 +		for (inx = 0; ((inx < parser->level) && (inx < XML_MAXLEVEL)); inx++)

    13  			efree(parser->ltags[ inx ]);

    14  		efree(parser->ltags);

    15  	}

    16 @@ -800,45 +800,50 @@

    17  		} 

    18  

    19  		if (parser->data) {

    20 -			zval *tag, *atr;

    21 -			int atcnt = 0;

    22 +			if (parser->level <= XML_MAXLEVEL)  {

    23 +				zval *tag, *atr;

    24 +				int atcnt = 0;

    25  

    26 -			MAKE_STD_ZVAL(tag);

    27 -			MAKE_STD_ZVAL(atr);

    28 +				MAKE_STD_ZVAL(tag);

    29 +				MAKE_STD_ZVAL(atr);

    30  

    31 -			array_init(tag);

    32 -			array_init(atr);

    33 +				array_init(tag);

    34 +				array_init(atr);

    35  

    36 -			_xml_add_to_info(parser,((char *) tag_name) + parser->toffset);

    37 +				_xml_add_to_info(parser,((char *) tag_name) + parser->toffset);

    38  

    39 -			add_assoc_string(tag,"tag",((char *) tag_name) + parser->toffset,1); /* cast to avoid gcc-warning */

    40 -			add_assoc_string(tag,"type","open",1);

    41 -			add_assoc_long(tag,"level",parser->level);

    42 +				add_assoc_string(tag,"tag",((char *) tag_name) + parser->toffset,1); /* cast to avoid gcc-warning */

    43 +				add_assoc_string(tag,"type","open",1);

    44 +				add_assoc_long(tag,"level",parser->level);

    45  

    46 -			parser->ltags[parser->level-1] = estrdup(tag_name);

    47 -			parser->lastwasopen = 1;

    48 +				parser->ltags[parser->level-1] = estrdup(tag_name);

    49 +				parser->lastwasopen = 1;

    50  

    51 -			attributes = (const XML_Char **) attrs;

    52 +				attributes = (const XML_Char **) attrs;

    53  

    54 -			while (attributes && *attributes) {

    55 -				att = _xml_decode_tag(parser, attributes[0]);

    56 -				val = xml_utf8_decode(attributes[1], strlen(attributes[1]), &val_len, parser->target_encoding);

    57 -				

    58 -				add_assoc_stringl(atr,att,val,val_len,0);

    59 +				while (attributes && *attributes) {

    60 +					att = _xml_decode_tag(parser, attributes[0]);

    61 +					val = xml_utf8_decode(attributes[1], strlen(attributes[1]), &val_len, parser->target_encoding);

    62  

    63 -				atcnt++;

    64 -				attributes += 2;

    65 +					add_assoc_stringl(atr,att,val,val_len,0);

    66  

    67 -				efree(att);

    68 -			}

    69 +					atcnt++;

    70 +					attributes += 2;

    71  

    72 -			if (atcnt) {

    73 -				zend_hash_add(Z_ARRVAL_P(tag),"attributes",sizeof("attributes"),&atr,sizeof(zval*),NULL);

    74 -			} else {

    75 -				zval_ptr_dtor(&atr);

    76 -			}

    77 +					efree(att);

    78 +				}

    79 +

    80 +				if (atcnt) {

    81 +					zend_hash_add(Z_ARRVAL_P(tag),"attributes",sizeof("attributes"),&atr,sizeof(zval*),NULL);

    82 +				} else {

    83 +					zval_ptr_dtor(&atr);

    84 +				}

    85  

    86 -			zend_hash_next_index_insert(Z_ARRVAL_P(parser->data),&tag,sizeof(zval*),(void *) &parser->ctag);

    87 +				zend_hash_next_index_insert(Z_ARRVAL_P(parser->data),&tag,sizeof(zval*),(void *) &parser->ctag);

    88 +			} else if (parser->level == (XML_MAXLEVEL + 1)) {

    89 +				TSRMLS_FETCH();

    90 +				php_error_docref(NULL TSRMLS_CC, E_WARNING, "Maximum depth exceeded - Results truncated");

    91 +			}

    92  		}

    93  

    94  		efree(tag_name);

    95 @@ -890,7 +895,7 @@

    96  

    97  		efree(tag_name);

    98  

    99 -		if (parser->ltags) {

   100 +		if ((parser->ltags) && (parser->level <= XML_MAXLEVEL)) {

   101  			efree(parser->ltags[parser->level-1]);

   102  		}

   103  

   104 @@ -974,18 +979,23 @@

   105  						}

   106  					}

   107  

   108 -					MAKE_STD_ZVAL(tag);

   109 -					

   110 -					array_init(tag);

   111 -					

   112 -					_xml_add_to_info(parser,parser->ltags[parser->level-1] + parser->toffset);

   113 +					if (parser->level <= XML_MAXLEVEL) {

   114 +						MAKE_STD_ZVAL(tag);

   115  

   116 -					add_assoc_string(tag,"tag",parser->ltags[parser->level-1] + parser->toffset,1);

   117 -					add_assoc_string(tag,"value",decoded_value,0);

   118 -					add_assoc_string(tag,"type","cdata",1);

   119 -					add_assoc_long(tag,"level",parser->level);

   120 +						array_init(tag);

   121  

   122 -					zend_hash_next_index_insert(Z_ARRVAL_P(parser->data),&tag,sizeof(zval*),NULL);

   123 +						_xml_add_to_info(parser,parser->ltags[parser->level-1] + parser->toffset);

   124 +

   125 +						add_assoc_string(tag,"tag",parser->ltags[parser->level-1] + parser->toffset,1);

   126 +						add_assoc_string(tag,"value",decoded_value,0);

   127 +						add_assoc_string(tag,"type","cdata",1);

   128 +						add_assoc_long(tag,"level",parser->level);

   129 +

   130 +						zend_hash_next_index_insert(Z_ARRVAL_P(parser->data),&tag,sizeof(zval*),NULL);

   131 +					} else if (parser->level == (XML_MAXLEVEL + 1)) {

   132 +						TSRMLS_FETCH();

   133 +						php_error_docref(NULL TSRMLS_CC, E_WARNING, "Maximum depth exceeded - Results truncated");

   134 +					}

   135  				}

   136  			} else {

   137  				efree(decoded_value);